The poc of this issue is to create a new firmware file and replace the target firmware(/firmware/nvidia/tegra210/bpmp.bin) in the device. 

 42 struct fw_header { 
 43         u32 magic; 
 44         u32 version; 
 45         u32 chip_id; 
 46         u32 mem_size; 
 47         u32 reset_offset; // modify the value of this address 
 48         u8 reserved2[124]; 
 49         u8 md5sum[32]; 
 50         u8 common_head[40]; 
 51         u8 platform_head[40]; 
 52 } __packed; 

root@jiayy:231529-tegra_bpmp_mailman-firmware-check# hexdump bpmp.bin | head 
0000000 7062 706d 0000 0000 0021 0000 fc00 0001 
0000010 0100 0000 0000 0000 0000 0000 0000 0000 // the default value if 0x1000000 
0000020 0000 0000 0000 0000 0000 0000 0000 0000 
* 
0000090 3133 6431 3066 3265 3938 3230 6563 6465 
00000a0 3234 3738 3661 3334 6463 3639 3439 3735 
00000b0 0000 0000 0000 0000 0000 0000 0000 0000 
* 
0000100 9008 e24f 0104 e59f 9000 e049 0100 e59f 
0000110 0009 e080 10fc e59f 20fc e59f 0036 eb00 

As above, the header format of file bpmp.bin is struct fw_header, 
the offset of 'reset_offset' in file bpmp.bin is '0x10', 
and its default value is '0x1000000', we can modify its value to anything we 
want and save it as a new firmware file, then replace the file in devices. 

steps: 

1) extract the firmware file 'bpmp.bin' from system.img 
2) modify value of 'reset_offset' as above 
3) replace /firmware/nvidia/tegra210/bpmp.bin with the new file we created 
4) reboot pixel c to trigger the vuln
